A total of seven high-severity vulnerabilities have been identified in the npm CLI packages “tar” and “#ntpmcli/arborist.”
Arborist and the tar package receive 300,000 and 20 million downloads a week, respectively. Attackers can exploit these issues to execute arbitrary code by installing untrusted npm packages on both Windows and Unix-based systems.
The zero-day flaws in the Node.js package were discovered by security researchers Philip Papurt and Robert Chen in August. The researchers informed npm about the issues through a bug bounty program.
After a further analysis, the GitHub security team discovered more high-severity bugs in the packages mentioned.
The Node.js tar package is a core dependency that developers use to install packages after their installations. It is also used by thousands of open-source projects. The arborist package is widely used to manage npm CLI tree configurations.
These security issues can cause developers to install unreliable packages on their machines.
The issues may also “result in unexpected arbitrary file overwrites and subsequent code execution when installing untrusted packages… These dependents may also use tar to extract potentially untrusted tar archives,” according to GitHub.
Owing to the issues listed below, the npm package could be abused to overwrite arbitrary files:
“There were seven issues in total. Five separate issues in tar extraction of tar archives were addressed, but only two (CVE-2021-32804, CVE-2021-37713) directly affected npm package installations. In addition, two separate issues in @npmcli/arborist (CVE-2021-39134, CVE-2021-39135) were patched that also directly affected npm package installations,” GitHub’s Mike Hanley explained.
Developers are asked to upgrade their tar dependency version to fix the issues. For npm, versions v6.14.15, v7.21.0, and the ones later have the issue already resolved. Also, the Node.js versions 12, 14, or 16 have the fixed tar version and admins can safely upgrade to these versions.